Introducing NETSCOUT’s Threat Intelligence Report

NETSCOUT’s Arbor Active Threat Level Analysis System (ATLAS®) has actively monitored the global internet threat landscape since 2007. Today, it provides us with visibility into approximately one-third of the global internet. With this new report, we’re sharing findings from our singular vantage point.

As threats grow across the landscape, NETSCOUT's unique position protecting enterprise networks and the internet through our service provider customers gives us wide visibility into this dynamic and ever-changing environment. By drawing on that comprehensive view with analysis driven by NETSCOUT's ATLAS Security Engineering & Response Team (ASERT), we have created a representative view of the threat landscape as we observed in the first six months of 2018 based on all our data and driven by extensive research and analysis.

What did we find? The complexion of the threat landscape is moving more rapidly, expanding footprint and changing tactics. Methods that are commonplace in the DDoS threat tool kit have sprung to crimeware and espionage. This accelerating internet-scale threat paradigm changes the frontiers for where and how attacks can be launched, observed and interdicted.

Here are the highlights:

1. DDoS attacks enter the terabit era

Last winter’s Memcached-based attacks ushered in the terabit era of DDoS attacks. In fact, NETSCOUT Arbor mitigated the largest DDoS attack yet seen, a 1.7 Tbps DDoS attack in February of 2018.

2. Attack volume up, frequency down

We saw about 2.8 billion attacks in the first half of 2018. While that’s a huge number of attacks, the big news lies in size rather than frequency.

From 2017 to 2018, we saw a slight drop in attack frequency accompanied by a dramatic increase in attack size and scale. However, that drop in frequency doesn’t mean that DDoS attacks are abating. The maximum size of DDoS attacks increased 174% in H1 2018 compared with the same timeframe in 2017. It is our assessment that as attack tools grow more sophisticated, attackers have found it easier and cheaper to launch larger, more effective attacks.

3. APT groups expand beyond traditional arena

More nations are operating offensive cyber programs and we in the research community are observing a broader set of threat actors. Indeed, nation-state-sponsored activity has developed beyond the actors commonly associated with China and Russia, as our findings include campaigns attributed to Iran, North Korea and Vietnam.

4. Crimeware actors diversify attack methods

While email campaigns remain the primary attack venue, we observed notable changes in methods designed to accelerate malware proliferation. Inspired by 2017 worm events such as WannaCry, major crimeware groups added worm modules to other malware with distinct objectives such as credential-theft or traditional loaders. We also saw an increased focus on cryptocurrency mining in malware. It seems that attackers see this method as a less risky and more profitable alternative to ransomware, since the latter has the unfortunate side effect of drawing attention from law enforcement agencies.

5. Countries can be highly targeted by DDoS campaigns

While the trend of a large increase in size of attacks over a growth in frequency played out fairly consistently across regions, we saw some countries and regions disproportionately targeted. The Asia Pacific experienced a disproportionally large number of high-volume attacks in comparison with other regions. China emerged as highly targeted country, with 17 attacks greater than 500 Gbps in the first half of 2018 versus none during the same timeframe the year before.

6. Vertical industry targets expand

Our analysis of targeted verticals reveals some insights year over year. Telecommunications providers and hosting services continued to observe the overwhelming majority of attacks, but we also saw big shifts year over year in a number of vertical sectors. Attacks on system integrators and consultancies were up, and government agencies such as consulates, embassies, the International Monetary Fund, the State Department, and the United Nations experienced a sharp uptick in attacks. This aligns with the use of DDoS against targets by government as well as those ideologically opposed to the interests represented by these institutions.

7. New DDoS attack vectors are rapidly leveraged...

The Memcached attack campaign used vulnerabilities in misconfigured Memcached servers to launch enormous DDoS attacks, a process that took very little time from initial reporting to the first attack tool being made available and utilized to cause global impact. While there was considerable mobilization worldwide to fix vulnerable servers, the vector remains exploitable and will continue to be used. The reality is, once a DDoS type is invented, it never really goes away.

8. ...While old ones get new life

Simple Service Discovery Protocol (SSDP) has been used for reflection/amplification attacks for many years, and ASERT debunked reports this year that claimed this existing tool represented a new type of DDoS campaign with potentially millions of vulnerable devices. However,

ASERT did uncover a new class of SSDP abuse where naive devices will respond to SSDP reflection/amplification attacks with a non-standard port. The resulting flood of UDP packets has ephemeral source and destination ports, making mitigation more difficult—an SSDP diffraction attack.

9. Targeted APT campaign can involve internet-scale footprints

As nation-state APT groups continue to develop globally, we were particularly interested in the observations of internet-scale activity in the strategic sphere, where campaigns such as NotPetya, CCleaner, VPNFilter, etc., involved broad proliferation across the internet, even as the ultimate targets in some instances were highly selective. These are distinct from the targeted attacks enterprises have become accustomed to dealing with over time, which often involve direct spear-phishing and limited scope to avoid detection and maintain presence. In this respect, targeted campaigns can now be backed by internet-scale intrusions

10. New crimeware platforms and targets emerge

Not satisfied with adding new malware modules, crimeware actors also busily developed new platforms, such as such as the Kardon Loader beta observed by ASERT. At the same time, well-known malware platforms such as Panda Banker are being directed at new targets.